Before I forget all the cool things that I learned today, I better write them now. I attended my second Microsoft training workshop today. It was on secured application development. I have never had much experience in writing secured code, and I must admit it was a pretty cool learning experience for me.
I woke up at 6:45 am to get ready for the workshop, which started at 8:30. The workshop is in Washington D.C., and I had to print out the directions before I left the house. The traffic was a little bad on I-495, which is normally packed during rush hour, but it cleared up after a few miles, so it wasnt that bad this morning. I got off at exit 39B on River Road heading toward Washington D.C. Drove for about 5 miles before I took a left on Western Ave. I drove for about half a mile before taking a right on Wisconsin Ave. The Microsoft office is located in the Chevy Chase Pavilion Building, which is right on Wisconsin Ave. I parked in the Pavilion parking lot and took the elevator up to the Microsoft office at around 8:35.
There were two receptionists, who directed me to the classroom all the way down the hall. I didnt see a lot of people there, so my first thought was may be I was there a little early, but it turned out there are only about 20 of us at the workshop. My first Microsoft workshop was conducted in a theater where there were hundreds of people showed up. That was part of the Microsofts Ready to Launch events. There were food and beverages on a few tables set up outside the classroom for the attendees. I had myself a muffin and a cup of coffee.
The presenter at the workshop was Talhah Mir. He introduced himself as a member of the Microsofts ACE (Application Consulting and Engineering) team, which is responsible for application performance, security and privacy engineering at Microsoft. He started off with an ice breaker. It was nice to get an idea of who were in the room and know what everyone wanted to get away from the workshop.
Talhah started off with Threat Modeling. I learned that threat modeling should be done independently off any specific platform. This is something that needs to be done before any code is written. Threat modeling can be summarized as follows: threats are realized through attacks, which are materialized through vulnerabilities, which then can be mitigated with countermeasures. Talhah described the task of the development team were to define these threats clearly and precisely, so that the security team could come up with attacks, vulnerabilities, and countermeasures appropriately. Talhah also introduced the Microsoft Threat Analysis and Modeling Tool along with Attack Libraries. I like the tool for its extensibility through XML and XSLT.
Talhah introduced the concept of cryptography. He also went on to demonstrate various loopholes in writing code. A few that I remember are Dynamic SQL, Integer Overflow and Session and Cookie Attacks. I thought the demos were cool and neatly organized to show the various kinds of attacks and solutions to these attacks.
The workshop ended around 3pm, which I like because I could go home before rush hour kicked in. I start to like these workshops more and more, because it gives me a chance to learn about so many things. I learned a lot at the workshop today, not only through Talhahs presentation, but also from the discussions from other attendees. I still consider myself new to the development world, because I have only been doing it professionally for two years, so its always great to listen and learn from the people around me.
I thought Talhah was a good presenter. He was very knowledgeable about the topic, and he was able to communicate it clearly. I learned a great deal about threat modeling through his presentation and demos. He said if there is one thing that one should have got from the presentation was the Principle of Least Privilege. I will keep it in mind as I continue to learn to write less unsecured code.